Roger Binns
rogerb at rogerbinns.com
Sat May 12 02:13:13 EDT 2007
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Graham Dumpleton wrote: > > You basically didn't want to agree and said: > > > > """That is the easy bit :-) Just copying the authentication response > > headers from /api will do the trick.""" > > > > I still believe that you don't quite understand what would happen. Let > > me see if I can explain it again in a way you can understand. I really do understand what I am talking about :-) How about some config and code. <Location /api/v1/widget/> <Limit GET> Require group reader </Limit> </Location> That ensures that Apache requires authentication for the rest service. Now this is my code in the handler for /admin which has no directive such as the above requiring authentication. def handler(req): name="foo" # Before generating this page, check they can get info widget sub=req.lookup_method_uri("GET", "/api/v1/widget/"+name) # Copy any authentication to subrequest sub.headers_in["Authorization"]=req.headers_in["Authorization"] # Run the subrequest sub.run() # Was authentication required? if sub.status==401: req.status=401 req.headers_out["WWW-Authenticate"]=sub.headers_out["WWW-Authenticate"] return apache.OK if sub.status!=200: req.status=sub.status ... copy error message or something similar ... return apache.OK # At this point we know that there is permission to read widget ... generate page etc ... > > First off, you said that /admin would have no AuthType/AuthName > > directives covering that URL in the Apache configuration. Because of > > this fact, the browser isn't going to be sending any authentication > > information for that URL. Ie., there will be no Authorization header > > available to the request handler for the /admin URL. That is correct. But the subrequest would return 401 if authentication was required and that can be copied into the response for the request so the browser will then retry with credentials. > > Your problem as you see it how to check those credentials. The real > > problem at this point is where are you getting the credentials from if > > the browser isn't going to send them. Well it would since I'd send them back from the subrequest as shown above. > > You are skipping this important challenge step by > > assuming the credentials will be there and simply moving to try and > > validate them. Err no, the challenge step is there due to sending 401 and WWW-Authenticate header back to the original request. > > Where web applications, such as Trac, use a /login URL as a single > > login point, once they have successfully logged in the user they then > > use cookies to track the fact that the user is logged in. Yes. But those applications also have to implement their own authorization system. I intend to let apache do all that. For example the administrator can do this in the configuration: <Location /api/v1/widget/> <Limit GET> Require group anyone </Limit> </Location> <Location /api/v1/widget/> <Limit DELETE> Require group admins </Limit> </Location> But then they can be more specific as well: <Location /api/v1/widget/thelab> <Limit DELETE> Require group labadmins </Limit> </Location> > > If you still disagree, and maybe I am missing something, by what > > mechanism do you think the credentials will be available in the first > > place? The bit you missed is that it is one line of code to copy a status and another to copy an Authorization or WWW-Authenticate header :-) > > and dictates various approaches to how one might go about extending > > mod_python features without actually modifying mod_python. I guess this looks the closest: http://issues.apache.org/jira/browse/MODPYTHON-165 However if I am having to go to the trouble of writing an Apache module I may as well just write one that meets my needs exactly and ignore mod_python :-( Roger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFGRVr5mOOfHg372QQRAn6lAKDCnl4bR7eTgXLXKec/+pn6UC6xKACfRp6K rqrz4heiawED4cRAQZOIqRk= =qoF7 -----END PGP SIGNATURE-----
|